27 Sep 2022
Difficulty: 🌕🌕🌕🌕🌑
The creator of this contract was careful enough to protect the sensitive areas of its storage.
Unlock this contract to beat the level.
Things that might help:
- Understanding how storage works
- Understanding how parameter parsing works
- Understanding how casting works
Contract
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
contract Privacy {
bool public locked = true;
uint256 public ID = block.timestamp;
uint8 private flattening = 10;
uint8 private denomination = 255;
uint16 private awkwardness = uint16(now);
bytes32[3] private data;
constructor(bytes32[3] memory _data) public {
data = _data;
}
function unlock(bytes16 _key) public {
require(_key == bytes16(data[2]));
locked = false;
}
/*
A bunch of super advanced solidity algorithms...
,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`
.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,
*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^ ,---/V\
`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*. ~|__(o.o)
^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*'^`*.,*' UU UU
*/
}
Writeup
Although data is private variable. We still can use web3.eth.getStorageAt to get the state of the contract’s storage.
- Get new instance.
- Try to get
locked value by web3.eth.getStorageAt.
await web3.eth.getStorageAt("YOUR_LEVEL_INSTANCE_ADDRESS", 1)
// '0x0000000000000000000000000000000000000000000000000000000000000001' // return locked value // true
- Get
data[2].
await web3.eth.getStorageAt("YOUR_LEVEL_INSTANCE_ADDRESS", 5)
// '0x7c1db6671abbdbf3884f953ac1683887832f14843bc56d6f3250a825a233f93e'
- Unlock.
await contract.unlock('0x7c1db6671abbdbf3884f953ac1683887')
- Get
locked value again.
await web3.eth.getStorageAt("YOUR_LEVEL_INSTANCE_ADDRESS", 1)
// '0x0000000000000000000000000000000000000000000000000000000000000000' // false
- Submit instance ξ( ✿>◡❛)
26 Sep 2022
PicoCTF 2021 / Reverse Engineering
Description
There is something on my shop network running at nc mercury.picoctf.net 16524, but I can’t tell what it is. Can you?
Prereguisite
G-code
Writeup
- Save G-code to the file
nc mercury.picoctf.net 16524 > g.gcode
- Go to this website and open
g.gcode.
- Here’s flag !
picoCTF{num3r1cal_c0ntr0l_e7749028} ٩(^ᴗ^)۶
26 Sep 2022
PicoCTF 2021 / Forensics / sleuthkit
Description
Description
Download the disk image and use mmls on it to find the size of the Linux partition. Connect to the remote checker service to check your answer and get the flag.
Note: if you are using the webshell, download and extract the disk image into /tmpnot your home directory.
Prereguisite
mmls, which is a tool of sleuthkit used to display the partition layout of a volume system (partition tables).
Writeup
- Download the file.
wget https://artifacts.picoctf.net/c/114/disk.img.gz
- Unzip.
- Display the partition layout of a volume system (partition tables).
nc saturn.picoctf.net 52279 and input 202752.- Here’s flag !
picoCTF{mm15_f7w!} ٩(^ᴗ^)۶
26 Sep 2022
PicoCTF 2022 / Reverse Engineering
Description
Can you open this safe?
I forgot the key to my safe but this program is supposed to help me with retrieving the lost key. Can you help me unlock my safe?
Put the password you recover into the picoCTF flag format like:
picoCTF{password}
Writeup
- Download the progrem
SafeOpener.java. There is a method named openSafe used to check if password correct. String encodedkey is password which was transferd to byte array and encode.
- We can derive the password by decoding string
encodedkey. Add four lines to openSafe method.
- Execute the program. Here’s flag!
picoCTF{pl3as3_l3t_m3_1nt0_th3_saf3} ٩(^ᴗ^)۶
26 Sep 2022
PicoCTF 2022 / Forensics
Description
Now you DON’T see me.
This report has some critical data in it, some of which have been redacted correctly, while some were not. Can you find an important key that was not redacted properly?
Prereguisite
pdftotext
You can download by sudo apt install poppler-utils.
Writeup
- Download the pdf.
wget https://artifacts.picoctf.net/c/264/Financial_Report_for_ABC_Labs.pdf
- Convert pdf to txt.
pdftotext Financial_Report_for_ABC_Labs.pdf
- Grep the flag.
cat Financial_Report_for_ABC_Labs.txt| grep pico
- Here’s flag!
picoCTF{C4n_Y0u_S33_m3_fully} ٩(^ᴗ^)۶